Notice how, when the user provides the correct credentials, we then check their location. If the location is already associated with that user account, then the user is able to authenticate successfully.

If not, we create a NewLocationToken and a disabled UserLocation – to allow the user to enable this new location. More on that, in the following sections.

Note how, when the user logs in from a different location, we’ll send an email to notify them.

If someone else attempted to log into their account, they’ll, of course, change their password. If they recognize the authentication attempt, they’ll be able to associate the new login location to their account.

6. Enable a New Login Location

Finally, now that the user has been notified of the suspicious activity, let’s have a look at how the application will handle enabling the new location: